Fast {User-Mode} Rootkit Scanner for the Enterprise

Yi-Min Wang; Doug Beck

Fast User-Mode Rootkit Scanner for the Enterprise

Abstract:

User-mode resource hiding through API interception and filtering is a well-known technique used by malware programs to achieve stealth. Although it is not as powerful as kernel-mode techniques, it is more portable and reliable and, as a result, widely used. In this paper, we describe the design and implementation of a fast scanner that uses a cross-view diff approach to detect all user-mode hiding Trojans and rootkits. We also present detection results from a large-scale enterprise deployment to demonstrate the effectiveness of the tool.

Yi-Min Wang, Microsoft Research, Redmond

Doug Beck, Microsoft Research

BibTeX

@inproceedings {269168,
author = {Yi-Min Wang and Doug Beck},
title = {Fast {User-Mode} Rootkit Scanner for the Enterprise},
booktitle = {19th Large Installation System Administration Conference (LISA 05)},
year = {2005},
address = {San Diego, CA},
url = {https://www.usenix.org/conference/lisa-05/fast-user-mode-rootkit-scanner-enterprise},
publisher = {USENIX Association},
month = dec
}

Download

Links

Paper:

http://usenix.org/event/lisa05/tech/full_papers/wang/wang.pdf

Paper (HTML):

http://usenix.org/event/lisa05/tech/full_papers/wang/wang_html/index.html

connect with us

twitter

usenix conference policies

Fast User-Mode Rootkit Scanner for the Enterprise

Yi-Min Wang, Microsoft Research, Redmond

Doug Beck, Microsoft Research

Links

connect with us

twitter

usenix conference policies

You are here

connect with us

Fast User-Mode Rootkit Scanner for the Enterprise

Yi-Min Wang, Microsoft Research, Redmond

Doug Beck, Microsoft Research

Links